Skip to main content

WindowsThread

vmi_os_windows

Struct WindowsThread 

Source 
pub struct WindowsThread<'a, Driver>
where
    Driver: VmiRead,
    Driver::Architecture: ArchAdapter<Driver>,
{ /* private fields */ }
Expand description

A Windows thread.

A thread in Windows is represented by the _ETHREAD structure, which contains metadata about its execution state, context, and scheduling.

§Implementation Details

Corresponds to _ETHREAD.

Implementations§

Source§

impl<'a, Driver> WindowsThread<'a, Driver>
where Driver: VmiRead, Driver::Architecture: ArchAdapter<Driver>,

Source

pub fn new(vmi: VmiState<'a, WindowsOs<Driver>>, thread: ThreadObject) -> Self

Creates a new Windows thread.

Source

pub fn process(&self) -> Result<WindowsProcess<'a, Driver>, VmiError>

Returns the process object associated with the thread.

§Implementation Details

Corresponds to _KTHREAD.Process.

Source

pub fn apc_state_index(&self) -> Result<u8, VmiError>

Returns the index into KTHREAD.ApcStatePointer selecting the thread’s currently-active APC environment.

  • 0 (OriginalApcEnvironment): thread is running in its original process.

  • 1 (AttachedApcEnvironment): thread is temporarily attached to a foreign process via KeStackAttachProcess / KeAttachProcess.

    The original KTHREAD.ApcState is preserved in KTHREAD.SavedApcState.

§Implementation Details

Corresponds to _KTHREAD.ApcStateIndex.

Source

pub fn is_attached(&self) -> Result<bool, VmiError>

Checks if the thread is currently attached to foreign process context.

§Implementation Details

Corresponds to _KTHREAD.ApcStateIndex != 0.

Source

pub fn current_process(&self) -> Result<WindowsProcess<'a, Driver>, VmiError>

Returns the process whose address space the thread is currently executing in.

§Implementation Details

Corresponds to _KTHREAD.ApcState.Process.

Source

pub fn saved_process( &self, ) -> Result<Option<WindowsProcess<'a, Driver>>, VmiError>

Returns the thread’s saved home process, or NULL if the thread is not attached.

§Implementation Details

Corresponds to _KTHREAD.SavedApcState.Process.

Source

pub fn impersonation_token( &self, ) -> Result<Option<WindowsToken<'a, Driver>>, VmiError>

Returns the thread’s impersonation token, or None when the thread is not currently impersonating.

§Implementation Details

Corresponds to _ETHREAD.ClientSecurity.ImpersonationToken, gated on _ETHREAD.ActiveImpersonationInfo.

Source

pub fn next_processor(&self) -> Result<VcpuId, VmiError>

Returns the ID of the processor the thread is bound to.

For a Running thread this is the CPU currently executing it. For a Ready or Standby thread this is the CPU the scheduler has selected for its next run.

§Implementation Details

Corresponds to _KTHREAD.NextProcessor.

Source

pub fn alertable(&self) -> Result<bool, VmiError>

Returns whether the thread is currently alertable.

§Notes

Usually only trustworthy when _KTHREAD.State == Waiting.

§Implementation Details

Corresponds to _KTHREAD.Alertable.

Source

pub fn wait_mode(&self) -> Result<WindowsProcessorMode, VmiError>

Returns the thread’s wait mode.

§Notes

Usually only trustworthy when _KTHREAD.State == Waiting.

§Implementation Details

Corresponds to _KTHREAD.WaitMode.

Source

pub fn wait_reason(&self) -> Result<WindowsThreadWaitReason, VmiError>

Returns the thread’s wait reason.

§Notes

Usually only trustworthy when _KTHREAD.State == Waiting.

§Implementation Details

Corresponds to _KTHREAD.WaitReason.

Source

pub fn teb(&self) -> Result<Option<WindowsTeb<'a, Driver>>, VmiError>

Returns the thread’s TEB.

§Implementation Details

Corresponds to _KTHREAD.Teb for the native TEB, and Teb64 + ROUND_TO_PAGES(sizeof(TEB)) for the WoW64 TEB.

Source

pub fn native_teb(&self) -> Result<Option<WindowsTeb<'a, Driver>>, VmiError>

Returns the thread’s native TEB.

§Implementation Details

Corresponds to _KTHREAD.Teb.

Source

pub fn trap_frame( &self, ) -> Result<Option<WindowsTrapFrame<'a, Driver>>, VmiError>

Returns the thread’s trap frame.

Points to the most recent user-to-kernel transition trap frame for the thread. It records the user-mode register state that was captured when the thread entered the kernel via a syscall, interrupt, or exception.

Can be NULL when the thread is executing purely in kernel mode and has not entered via a user-mode trap.

§Implementation Details

Corresponds to _KTHREAD.TrapFrame.

Source

pub fn state(&self) -> Result<WindowsThreadState, VmiError>

Returns the thread’s scheduling state.

§Implementation Details

Corresponds to _KTHREAD.State.

Source

pub fn kernel_stack(&self) -> Result<Va, VmiError>

Returns the saved kernel stack pointer for this thread.

For threads that are not currently running, this is the stack pointer value saved during the last context switch (KiSwapContext).

§Implementation Details

Corresponds to _KTHREAD.KernelStack.

Trait Implementations§

Source§

impl<'a, Driver> From<WindowsThread<'a, Driver>> for WindowsObject<'a, Driver>
where Driver: VmiRead, Driver::Architecture: ArchAdapter<Driver>,

Source§

fn from(value: WindowsThread<'a, Driver>) -> Self

Converts to this type from the input type.
Source§

impl<'a, Driver> FromWindowsObject<'a, Driver> for WindowsThread<'a, Driver>
where Driver: VmiRead, Driver::Architecture: ArchAdapter<Driver>,

Source§

fn from_object( object: WindowsObject<'a, Driver>, ) -> Result<Option<Self>, VmiError>

Attempts to convert a WindowsObject into a specific object type.
Source§

impl<'a, Driver> VmiOsThread<'a, Driver> for WindowsThread<'a, Driver>
where Driver: VmiRead, Driver::Architecture: ArchAdapter<Driver>,

Source§

fn id(&self) -> Result<ThreadId, VmiError>

Returns the thread ID.

§Implementation Details

Corresponds to _ETHREAD.Cid.UniqueThread.

Source§

fn object(&self) -> Result<ThreadObject, VmiError>

Returns the thread object.

Source§

type Os = WindowsOs<Driver>

The VMI OS type.
Source§

impl<Driver> VmiVa for WindowsThread<'_, Driver>
where Driver: VmiRead, Driver::Architecture: ArchAdapter<Driver>,

Source§

fn va(&self) -> Va

Returns the virtual address.

Auto Trait Implementations§

§

impl<'a, Driver> !RefUnwindSafe for WindowsThread<'a, Driver>

§

impl<'a, Driver> !Send for WindowsThread<'a, Driver>

§

impl<'a, Driver> !Sync for WindowsThread<'a, Driver>

§

impl<'a, Driver> !UnwindSafe for WindowsThread<'a, Driver>

§

impl<'a, Driver> Freeze for WindowsThread<'a, Driver>

§

impl<'a, Driver> Unpin for WindowsThread<'a, Driver>

§

impl<'a, Driver> UnsafeUnpin for WindowsThread<'a, Driver>

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> ArchivePointee for T

Source§

type ArchivedMetadata = ()

The archived version of the pointer metadata for this type.
Source§

fn pointer_metadata( _: &<T as ArchivePointee>::ArchivedMetadata, ) -> <T as Pointee>::Metadata

Converts some archived metadata to the pointer metadata for itself.
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<ST, DT> CastableFrom<ST, Initialized, Initialized> for DT
where ST: ?Sized, DT: ?Sized,

Source§

impl<ST, DT> CastableFrom<ST, Uninit, Uninit> for DT
where ST: ?Sized, DT: ?Sized,

Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T> Instrument for T

Source§

fn instrument(self, span: Span) -> Instrumented<Self>

Instruments this type with the provided Span, returning an Instrumented wrapper. Read more
Source§

fn in_current_span(self) -> Instrumented<Self>

Instruments this type with the current Span, returning an Instrumented wrapper. Read more
Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> LayoutRaw for T

Source§

fn layout_raw(_: <T as Pointee>::Metadata) -> Result<Layout, LayoutError>

Returns the layout of the type.
Source§

impl<T, N1, N2> Niching<NichedOption<T, N1>> for N2
where T: SharedNiching<N1, N2>, N1: Niching<T>, N2: Niching<T>,

Source§

unsafe fn is_niched(niched: *const NichedOption<T, N1>) -> bool

Returns whether the given value has been niched. Read more
Source§

fn resolve_niched(out: Place<NichedOption<T, N1>>)

Writes data to out indicating that a T is niched.
Source§

impl<T> Pointee for T

Source§

type Metadata = ()

The metadata type for pointers and references to this type.
Source§

impl<T> PolicyExt for T
where T: ?Sized,

Source§

fn and<P, B, E>(self, other: P) -> And<T, P>
where T: Sized + Policy<B, E>, P: Policy<B, E>,

Create a new Policy that returns Action::Follow only if self and other return Action::Follow. Read more
Source§

fn or<P, B, E>(self, other: P) -> Or<T, P>
where T: Sized + Policy<B, E>, P: Policy<B, E>,

Create a new Policy that returns Action::Follow if either self or other returns Action::Follow. Read more
Source§

impl<T> Read<Exclusive, BecauseExclusive> for T
where T: ?Sized,

Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
Source§

impl<T> WithSubscriber for T

Source§

fn with_subscriber<S>(self, subscriber: S) -> WithDispatch<Self>
where S: Into<Dispatch>,

Attaches the provided Subscriber to this type, returning a WithDispatch wrapper. Read more
Source§

fn with_current_subscriber(self) -> WithDispatch<Self>

Attaches the current default Subscriber to this type, returning a WithDispatch wrapper. Read more